Search form

Computer Fraud And Abuse Act Reform

Computer Fraud And Abuse Act Reform

Computer Fraud And Abuse Act Reform

After the tragic death of programmer and Internet activist Aaron Swartz, EFF calls to reform the infamously problematic Computer Fraud and Abuse Act (CFAA). In June 2013, Aaron's Law, a bipartisan bill to make common sense changes to the CFAA was introduced by Reps. Lofgren and Sensenbrenner. You can help right now by emailing your Senator and Representative to reform the draconian computer crime law. The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what "without authorization" actually means. The statute does attempt to define "exceeds authorized access," but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the statute.

Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren't really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn't be the case. Compounding this problem is the CFAA's disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient "authorization" can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government's case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were "unauthorized" access claims. EFF is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren's terrific draft bill known as Aaron's Law. We will expand on this and address other flaws of the CFAA, as well.

Whistleblower Chelsea Manning was released from prison more than a year ago, after former President Barack Obama commuted her sentence for releasing military and diplomatic records to WikiLeaks. But her case still continues, as Manning wants to appeal her original conviction—including one charge under a controversial a federal...

In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers. This isn’t just a matter of solidarity among those in the profession...

Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail. EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon...

Last weekend’s Cambridge Analytica news—that the company was able to access tens of millions of users’ data by paying low-wage workers on Amazon’s Mechanical Turk to take a Facebook survey, which gave Cambridge Analytica access to Facebook’s dossier on each of those turkers’ Facebook friends—has hammered home two problems: first...

A misguided bill in Georgia (S.B. 315) threatens to criminalize independent computer security research and punish ordinary technology users who violate fine-print terms of service clauses. S.B. 315 is currently making its way through the state’s legislature amid uproar and resistance that its sponsors might not have fully...